cert-manager
diff --git a/‎.eslintignore‎
Lines changed: 0 additions & 5 deletions b/‎.eslintignore‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎.eslintrc.json‎
Lines changed: 0 additions & 32 deletions b/‎.eslintrc.json‎
Lines changed: 0 additions & 32 deletions
diff --git a/‎.github/chainguard/make-self-upgrade.sts.yaml‎
Lines changed: 10 additions & 0 deletions b/‎.github/chainguard/make-self-upgrade.sts.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/chainguard/renovate.sts.yaml‎
Lines changed: 14 additions & 0 deletions b/‎.github/chainguard/renovate.sts.yaml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/dependabot.yaml‎
Lines changed: 0 additions & 20 deletions b/‎.github/dependabot.yaml‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎.github/renovate.json5‎
Lines changed: 18 additions & 0 deletions b/‎.github/renovate.json5‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.github/workflows/check.yaml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/check.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/make-self-upgrade.yaml‎
Lines changed: 17 additions & 8 deletions b/‎.github/workflows/make-self-upgrade.yaml‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎.github/workflows/renovate.yaml‎
Lines changed: 62 additions & 0 deletions b/‎.github/workflows/renovate.yaml‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/website:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
@@ -0,0 +1,14 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/renovate.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/website:ref:refs/heads/(main|master)$
+
+permissions:
+  administration: read
+  contents: write
+  issues: write
+  pull_requests: write
+  security_events: read
+  statuses: write
+  workflows: write
@@ -0,0 +1,18 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'github>cert-manager/renovate-config:default.json5',
+  ],
+  packageRules: [
+    {
+      groupName: 'Misc NPM packages',
+      matchManagers: [
+        'npm',
+      ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+      ],
+    },
+  ],
+}
@@ -6,12 +6,12 @@ on:
   pull_request:
 jobs:
   pull-cert-manager-website-verify:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
-          node-version: 20
+          node-version: 22
           cache: npm
       - run: npm ci
       - run: npm run check
@@ -15,11 +15,10 @@ jobs:
   self_upgrade:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository == 'cert-manager/website'
 
     permissions:
-      contents: write
-      pull-requests: write
+      id-token: write
 
     env:
       SOURCE_BRANCH: "${{ github.ref_name }}"
@@ -32,17 +31,26 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'cert-manager/website'
+          identity: make-self-upgrade
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -73,8 +81,9 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
@@ -100,6 +109,6 @@ jobs:
                 owner,
                 repo,
                 issue_number: result.data.number,
-                labels: ['skip-review']
+                labels: ['ok-to-test', 'skip-review', 'release-note-none', 'kind/cleanup']
               });
             }
@@ -0,0 +1,62 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/renovate.yaml instead.
+
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'cert-manager/website'
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'cert-manager/website'
+          identity: renovate
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@f8af9272cd94a4637c29f60dea8731afd3134473 # v43.0.12
+        with:
+          configurationFile: .github/renovate.json5
+          token: ${{ steps.octo-sts.outputs.token }}
+        env:
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_ONBOARDING: "false"
+          RENOVATE_PLATFORM: "github"
+          LOG_LEVEL: "debug"
+          RENOVATE_ALLOWED_COMMANDS: '[".*"]'
@@ -50,6 +50,7 @@ public/feed.*
 
 # IntelliJ
 .idea
+*.iml
 
 # Our release-process.md tells us to run 'sed' commands that create .bak files.
 *.bak